在大量的new和delete之后,在任何一处new都有可以触发ntdll!RtlAllocateHeap+0x567处的异常,从异常后的内存dump来看,都是访问了无效内存地址产生的
线程栈:
0:011> kb
ChildEBP RetAddr Args to Child
077afd8c 77bfc3c9 003a0000 00000000 0000000c ntdll!RtlAllocateHeap+0x567
077afdcc 77bfc3e7 0000000c 077afde8 77bfc42e msvcrt!_heap_alloc+0xe0
077afdd8 77bfc42e 0000000c 00000000 0000000c msvcrt!_nh_malloc+0x13
077afde8 73d34154 0000000c 00000000 00b90f00 msvcrt!malloc+0x27
*** WARNING: Unable to verify checksum for Server.exe
077afe00 00424350 0000000c 00000000 00b6fb94 mfc42!operator new+0x31
077afe2c 0048ba5f 00000000 00000334 00000000 Server!sDataCenter::sDataCenter+0xf0
077afedc 0042e433 00b90f00 071afe5c 00b723e0 Server!CServerSend_DC::OnProcess+0xbf
077aff10 73d40bbd 00b6fb94 00180016 00b72778 Server!CTCPSocketServer_DC::m_MainLoop+0xd3
077aff80 77c0a3b0 071afe5c 00180016 71a01724 mfc42!_AfxThreadEntry+0xe6
077affb4 7c80b729 00b72458 00180016 71a01724 msvcrt!_endthreadex+0xa9
077affec 00000000 77c0a341 00b72458 00000000 kernel32!BaseThreadStart+0x37
CPU状态:
0:011> r
eax=00000000 ebx=003a0000 ecx=00b7aaf0 edx=003a0178 esi=00b7aae8 edi=00000000
eip=7c930c8e esp=077afb6c ebp=077afd8c iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
ntdll!RtlAllocateHeap+0x567:
7c930c8e 8b10 mov edx,dword ptr [eax] ds:0023:00000000=????????
反汇编:
0:011> u eip-11 eip+10
ntdll!RtlAllocateHeap+0x556:
7c930c7d 8b39 mov edi,dword ptr [ecx]
7c930c7f 89bd0cffffff mov dword ptr [ebp-0F4h],edi
7c930c85 8b460c mov eax,dword ptr [esi+0Ch] ;//将esi[00b7aae8]+0Ch赋给eax,eax为[00b7aaf4]
7c930c88 898568ffffff mov dword ptr [ebp-98h],eax ;//将值[00b7aaf4]写到内存地址为[077afd8c-98h]处
7c930c8e 8b10 mov edx,dword ptr [eax] ;//此处怎么eax就变成了[00000000]?
7c930c90 3b5704 cmp edx,dword ptr [edi+4]
7c930c93 0f85e45e0200 jne ntdll!RtlAllocateHeap+0x579 (7c956b7d)
7c930c99 3bd1 cmp edx,ecx
7c930c9b 0f85dc5e0200 jne ntdll!RtlAllocateHeap+0x579 (7c956b7d)
0:011> dd 077afd8c-98 L4
077afcf4 00000000 00000000 00000008 00000000 ;//内存[077afd8c-98h]处的值
上述问题大量存在,下述问题量不太多
另外还有在delete的时候会在ntdll!RtlpCoalesceFreeBlocks+0x128处也触发这个问题
eax=00bb3d28 ebx=003a0000 ecx=00000000 edx=00000000 esi=00bb3d20 edi=00bb3d48
eip=7c931980 esp=07aaf950 ebp=07aaf95c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!RtlpCoalesceFreeBlocks+0x128:
7c931980 8b09 mov ecx,dword ptr [ecx] ds:0023:00000000=????????
疑问:
1.为什么在短短的两三行汇编代码中,eax的值就发生了变化?是因为多线程的缘故,还是有其它原因,又是什么原因呢?
2.此错误是属于堆被破坏的错误吧,堆被破坏无非就是a,写地址越界,b,二次释放相同区域,c,释放后继续写入,我不太能够理解这三者与问题现状的关系
3.望有识之土一同讨论学习,QQ:13076933,MSN:zewuxx@msn.com